Merge pull request #7949 from logto-io/charles-log-12430-core-experience-maintain-app_id-in-url-search-params

feat(core,experience): maintain app_id in auth related URL search params

Author: charIeszhao

packages/core/package.json

@@ -80,7 +80,7 @@
     "lru-cache": "^11.0.0",
     "nanoid": "^5.0.9",
     "node-forge": "^1.3.1",
-    "oidc-provider": "github:logto-io/node-oidc-provider#c8f353f8593b951156e730b96da38a14386a3338",
+    "oidc-provider": "github:logto-io/node-oidc-provider#aa47a2b000d08e28c1d212aac1899eddd13009e9",
     "openapi-types": "^12.1.3",
     "otplib": "^12.0.1",
     "p-map": "^7.0.2",

packages/core/src/oidc/init.ts

@@ -10,7 +10,6 @@ import type { I18nKey } from '@logto/phrases';
 import {
   customClientMetadataDefault,
   CustomClientMetadataKey,
-  experience,
   extraParamsObjectGuard,
   inSeconds,
   logtoCookieKey,
@@ -33,6 +32,7 @@ import koaBodyEtag from '#src/middleware/koa-body-etag.js';
 import koaResourceParam from '#src/middleware/koa-resource-param.js';
 import postgresAdapter from '#src/oidc/adapter.js';
 import {
+  buildConsentPromptUrl,
   buildLoginPromptUrl,
   isOriginAllowed,
   validateCustomClientMetadata,
@@ -244,7 +244,7 @@ export default function initOidc(
           }
 
           case 'consent': {
-            return '/' + experience.routes.consent;
+            return '/' + buildConsentPromptUrl(appId);
           }
 
           default: {

packages/core/src/oidc/utils.ts

@@ -145,3 +145,13 @@ export const buildLoginPromptUrl = (params: ExtraParamsObject, appId?: unknown):
 
   return firstScreen + getSearchParamString();
 };
+
+export const buildConsentPromptUrl = (appId?: unknown): string => {
+  const searchParams = new URLSearchParams();
+  if (appId) {
+    searchParams.append('app_id', String(appId));
+  }
+  const searchParamString = searchParams.size > 0 ? `?${searchParams.toString()}` : '';
+
+  return experience.routes.consent + searchParamString;
+};

packages/experience/src/apis/api.ts

@@ -1,11 +1,22 @@
 import i18next from 'i18next';
 import ky from 'ky';
 
+import { searchKeys } from '@/utils/search-parameters';
+
 export default ky.extend({
   hooks: {
     beforeRequest: [
       (request) => {
         request.headers.set('Accept-Language', i18next.language);
+        /**
+         * Attach app ID to HTTP header in order to support client-specific interaction cookie
+         * for Experience API requests. The header is used by the oidc-provider library to identify
+         * the client, and hence the related interaction details.
+         */
+        const appId = sessionStorage.getItem(searchKeys.appId);
+        if (appId) {
+          request.headers.set('Logto-App-Id', appId);
+        }
       },
     ],
   },

packages/experience/src/utils/search-parameters.ts

@@ -35,8 +35,11 @@ export const handleSearchParametersData = () => {
     const value = parameters.get(key);
     if (value) {
       sessionStorage.setItem(key, value);
-      parameters.delete(key);
-    } else {
+      if (key !== searchKeys.appId) {
+        // Keep app_id in the URL for resuming sessions
+        parameters.delete(key);
+      }
+    } else if (key !== searchKeys.appId) {
       sessionStorage.removeItem(key);
     }
   }

packages/integration-tests/src/client/index.ts

@@ -112,7 +112,8 @@ export default class MockClient {
 
     // Note: Should redirect to logto consent page
     assert(
-      authResponse.status === 303 && authResponse.headers.get('location') === '/consent',
+      authResponse.status === 303 &&
+        authResponse.headers.get('location') === `/consent?app_id=${this.config.appId}`,
       new Error('Invoke auth before consent failed')
     );
 

packages/integration-tests/src/tests/api/audit-logs/index.test.ts

@@ -7,6 +7,7 @@ import { getAuditLogs } from '#src/api/logs.js';
 import MockClient from '#src/client/index.js';
 import { enableAllPasswordSignInMethods } from '#src/helpers/sign-in-experience.js';
 import { generateNewUserProfile } from '#src/helpers/user.js';
+import { parseInteractionCookie } from '#src/utils.js';
 
 describe('audit logs for interaction', () => {
   beforeAll(async () => {
@@ -20,10 +21,12 @@ describe('audit logs for interaction', () => {
   it('should insert log after interaction started and ended', async () => {
     const client = new MockClient();
     await client.initSession();
-    const interactionId = client.parsedCookies.get('_interaction');
+    const interactionCookie = client.parsedCookies.get('_interaction');
 
-    assert(interactionId, new Error('No interaction found in cookie'));
-    console.debug('Testing interaction', interactionId);
+    assert(interactionCookie, new Error('No interaction found in cookie'));
+    console.debug('Testing interaction', interactionCookie);
+
+    const interactionId = parseInteractionCookie(interactionCookie)['demo-app'];
 
     // Expect interaction create log
     const createLogs = await getAuditLogs(

packages/integration-tests/src/tests/console/bootstrap.test.ts

@@ -108,7 +108,7 @@ describe('smoke testing for console admin account creation and sign-in', () => {
       )
     );
 
-    expect(page.url()).toBe(new URL('sign-in', logtoConsoleUrl).href);
+    expect(page.url()).toBe(new URL('sign-in?app_id=admin-console', logtoConsoleUrl).href);
   });
 
   it('can sign in to admin console again', async () => {

packages/integration-tests/src/utils.ts

@@ -148,3 +148,12 @@ export const devFeatureDisabledTest = Object.freeze({
   it: isDevFeaturesEnabled ? it.skip : it,
   describe: isDevFeaturesEnabled ? describe.skip : describe,
 });
+
+export const parseInteractionCookie = (cookie: string): Record<string, string> => {
+  try {
+    // eslint-disable-next-line no-restricted-syntax
+    return JSON.parse(cookie) as Record<string, string>;
+  } catch {
+    return {};
+  }
+};